Amazon might not have a security issue at Audible but they do have one on their main website.
A security researcher has reported, and I can confirm, that Amazon has a security hole on the “manage Your Kindle” page – one which is relatively easy to fix.
Thanks to this hole, a hacker can gain access to the Amazon account simply by getting his victims to download an ebook which was itself hacked to include a script in the title:
Once an attacker manages to have an e-book (file, document, …) with a title like
added to the victim’s library, the code will be executed as soon as the victim opens the Kindle Library web page. As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised.
I’ve tried it, and it does work. I saw something similar to the image which the hacker posted to his blog.
As a result I would urge caution against buying or downloading ebooks from untrustworthy sources – for the near future, at least. I expect Amazon will fix this problem shortly – that’s what they did when it was first discovered last fall.
No this is not a new story, though it is just coming to light. The German ebook blog AlleseBook.de broke the story earlier today when they reported on the hacker who discovered this issue – and more importantly, provided an ebook which could prove the hack worked.
Benjamin Daniel Mussler writes that he discovered this security issue last October. He notified Amazon in November, and they fixed it 4 days later. That is great, but then then Amazon reintroduced the security hole earlier this year when they launched the new version of the “Manage Your Kindle” page.
As of the time I wrote this post, Mussler’s hack still worked. There’s even an ebook which you can use to test the hack yourself, if you like. I would recommend against it, but it is up to you.
On a related note, if you’re worried about being hacked, there is a simple rule you can follow to keep yourself safe.
I have a rule against downloading apps from questionable websites, one which I have long since applied to Epub ebooks (because they can contain Javascript) and PDFs (because they can hold entire apps). Now it would seem that rule needs to be expanded to include Kindle ebooks as well.
I am Martin Odinuwe, a logo identity designer, Graphic designer, Video editor and a professional videographer based in Abuja, Nigeria with over five years experience. I am currently a consultant with Reachout Multiservice company ltd a multimedia company in Abuja
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
